Systems and methods for managing data incidents

ABSTRACT

Systems and methods for managing a data incident are provided herein. Exemplary methods may include providing an external entity interface that receives external entity information including a contract between a first party and at least one additional party, notification obligations that specify when the first party or the at least one additional party notifies entities that a data incident has occurred, and properties that trigger an assessment of the notification obligations. When an incident occurs, an assessment is completed and the results thereof are displayed on a risk assessment guidance interface.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation-in-part that claims thebenefit and priority of U.S. Non-Provisional patent application Ser. No.14/588,159 filed on Dec. 31, 2014, now issued as U.S. Pat. No. 9,483,650on Nov. 1, 2016, which is a continuation-in-part that claims the benefitand priority of U.S. Non-Provisional patent application Ser. No.14/311,253 filed on Jun. 21, 2014, which is a continuation that claimsthe benefit and priority of U.S. Non-Provisional patent application Ser.No. 13/691,661 filed on Nov. 30, 2012, now issued as U.S. Pat. No.8,763,133 on Jun. 24, 2014, which is a continuation that claims thebenefit and priority of U.S. Non-Provisional patent application Ser. No.13/396,558 filed on Feb. 14, 2012, now issued as U.S. Pat. No. 8,707,445on Apr. 22, 2014, all of which are hereby incorporated by referenceherein in their entirety including all references cited therein.

FIELD OF THE TECHNOLOGY

Embodiments of the disclosure relate to information privacy. Morespecifically, but not by way of limitation, the present technologyrelates to the management of data incidents. The management of a dataincident may comprise conducting an analysis of a data incident datarelative to federal and state privacy rules and generating a riskassessment and incident response plan for the data incident.Additionally, the present technology may generate notification schedulesand gather/transmit notification information for data incidents having arisk assessment that is indicative of a high level of risk.

BACKGROUND OF THE DISCLOSURE

Data incidents involve the exposure of sensitive information, such aspersonally identifiable information and protected health information, tothird parties. Data incidents may comprise data breaches, privacybreaches, privacy or security incidents, and other similar events thatresult in the exposure of sensitive information to third parties. Someof these exposures may be subject to numerous state and federal statutesthat delineate requirements that are to be imposed upon the party thatwas entrusted to protect the data. Personally identifiable information(hereinafter, “PII”) and protected health information (hereinafter,“PHI”), which regard healthcare-related information for individuals thatare maintained by a covered entity (e.g., an entity that has beenentrusted with the PHI such as a hospital, clinic, health plan, and soforth), may include, but are not limited to, healthcare, financial,political, criminal justice, biological, location, and/or ethnicityinformation. For purposes of brevity, although each of these types ofPII and PHI may have distinct nomenclature, all the aforementioned typesof information will be referred to herein as PII/PHI.

SUMMARY OF THE DISCLOSURE

According to some embodiments, the present technology may be directed tomethods managing a data incident. The methods may comprise: (a)receiving, via a risk assessment server, in response to an occurrence ofthe data incident, data incident data that comprises informationcorresponding to the data incident, the data incident further comprisingintentional or unintentional release of personally identifiableinformation to an untrusted environment; (b) automatically generating,via the risk assessment server, a risk assessment from a comparison ofthe data incident data to privacy rules, the privacy rules comprising:(i) at least one federal rule; (ii) at least one state rule, each of therules defining requirements associated with data incident notificationlaws; and (iii) at least one contractual obligation defining contractualrequirements of a breaching party due to the data incident, thebreaching party being a party to the at least one contractualobligation; (c) providing, via the risk assessment server, the riskassessment to a display device that selectively couples with the riskassessment server; and (d) generating a notification schedule when thecomparison indicates that the data incident violates at least one of theat least one federal rule, the at least one state rule, the at least onecontractual obligation, or combinations thereof.

According to other embodiments, the present technology is directed to arisk assessment server for managing a data incident. In some instances,risk assessment server may comprise: (a) a memory for storing executableinstructions; (b) a processor for executing the instructions; (c) aninput module stored in memory and executable by the processor to receivein response to an occurrence of the data incident, data incident data,the data incident data comprising information corresponding to the dataincident, the data incident further comprising intentional orunintentional release of personally identifiable information to anuntrusted environment; (d) a risk assessment generator stored in memoryand executable by the processor to generate a risk assessment from acomparison of the data incident data to privacy rules, the privacy rulescomprising: (i) at least one federal rule; (ii) at least one state rule,each of the rules defining requirements associated with data incidentnotification laws; and (iii) at least one contractual obligationdefining contractual requirements of a breaching party due to the dataincident, the breaching party being a party to the at least onecontractual obligation; (e) a user interface module stored in memory andexecutable by the processor to provide the risk assessment to a displaydevice that selectively couples with the risk assessment server; and (f)a notification module generating a notification schedule when thecomparison indicates that the data incident violates at least onefederal rule, the at least one state rule, the at least one contractualobligation, or combinations thereof.

According to some embodiments, the present technology is directed to amethod for managing a data incident, comprising: (a) receiving, via arisk assessment server, in response to an occurrence of the dataincident, data incident data that comprises information corresponding tothe data incident, the data incident further comprising intentional orunintentional release of personally identifiable information to anuntrusted environment; (b) automatically generating, via the riskassessment server, a risk assessment from a comparison of the dataincident data to privacy rules, the privacy rules comprising: (i) atleast one federal rule; (ii) at least one state rule, each of the rulesdefining requirements associated with data incident notification laws;and (iii) at least one contractual obligation defining contractualrequirements of a breaching party due to the data incident, thebreaching party being a party to the at least one contractualobligation; (c) providing, via the risk assessment server, the riskassessment to a display device that selectively couples with the riskassessment server; (d) receiving one or more selections of one or morestates; (e) selecting one or more state statutes based upon the one ormore selections; (f) generating at least one state rule based upon aselected state statute; and (g) generating a notification schedule whenthe comparison indicates that the data incident violates at least one ofthe at least one federal rule, the at least one state rule, the at leastone contractual obligation, or combinations thereof.

According to some embodiments, the present technology is directed to arisk assessment server for managing a data incident, the servercomprising: (a) a memory for storing executable instructions; (b) aprocessor for executing the instructions; (c) an input module stored inmemory and executable by the processor to receive in response to anoccurrence of the data incident, data incident data, the data incidentdata comprising information corresponding to the data incident, the dataincident further comprising intentional or unintentional release ofpersonally identifiable information to an untrusted environment; (d) arisk assessment generator stored in memory and executable by theprocessor to generate a risk assessment from a comparison of the dataincident data to privacy rules, the privacy rules comprising: (i) atleast one federal rule; (ii) at least one state rule, each of the rulesdefining requirements associated with data incident notification laws;and (iii) at least one contractual obligation defining contractualrequirements of a breaching party due to the data incident, thebreaching party being a party to the at least one contractualobligation; (e) a user interface module stored in memory and executableby the processor to provide the risk assessment to a display device thatselectively couples with the risk assessment server; and (f) a rulegenerator stored in memory and executable by the processor to: (1)generate the at least one federal rule from a federal statute thatgoverns privacy breaches relative to protected health information (PHI);or (2) generate the at least one state rule from a state statute thatgoverns privacy breaches relative to at least one of personallyidentifiable information (PII), PHI, or combinations thereof; andfurther comprising a notification module generating a notificationschedule when the comparison indicates that the data incident violatesat least one of the at least one federal rule, the at least one staterule, the at least one contractual obligation, or combinations thereof.

According to some embodiments, the present technology is directed to amethod for managing a data incident, comprising: (a) receiving, via arisk assessment server, in response to an occurrence of the dataincident, data incident data that comprises information corresponding tothe data incident, the data incident further comprising intentional orunintentional release of personally identifiable information to anuntrusted environment; (b) determining at least one contractualobligation existing between two or more parties, the at least onecontractual obligation defining contractual requirements of a breachingparty due to the data incident, the breaching party being one of the twoor more; (c) automatically generating, via the risk assessment server, arisk assessment for the breaching party using a comparison of the dataincident data to privacy rules, the privacy rules comprising at leastone of: (i) at least one federal rule; (ii) at least one state rule,each of the rules defining requirements associated with data incidentnotification laws; and (iii) the at least one contractual obligation;(d) providing, via the risk assessment server, the risk assessment to adisplay device that selectively couples with the risk assessment server;and (e) generating a notification schedule when the comparison indicatesthat the data incident violates at least one of the at least one federalrule, the at least one state rule, the at least one contractualobligation, or combinations thereof.

According to some embodiments, the present technology is directed to amethod performed by a risk assessment server that comprises a processorand memory for storing instructions, the processor executing theinstructions to perform the method, the method comprising: (a) creatingan incident record for a data incident, the data record includesinformation regarding the data incident; (b) selecting one or more rolesfor each party involved in the data incident, wherein any party can beassigned two or more roles for the data incident based on a contractualrelationship with the party and another party; (c) automaticallygenerating a risk assessment from a comparison of the data incident tothe privacy rules; and (d) generating a notification schedule for eachparty to the data incident that is based on the role or roles for theparty when a comparison of the privacy rules to the data incidentindicates that the data incident violates at least one of the at leastone federal rule, the at least one state rule, the at least onecontractual obligation, or combinations thereof.

In one embodiment, a method includes: (a) providing an external entityinterface that receives: (i) external entity information comprising: (1)a contract between a first party and at least one additional party; (2)notification obligations that specify when the first party or the atleast one additional party notifies entities that a data incident hasoccurred; and (3) properties that trigger an assessment of thenotification obligations; (b) receiving, via a risk assessment server,in response to an occurrence of the data incident, data incident datathat comprises information corresponding to the data incident, the dataincident further comprising intentional or unintentional release ofpersonally identifiable information to an untrusted environment by thefirst party or the at least one additional party; (c) comparing the dataincident data to the properties that trigger an assessment; (d) whereinif the properties indicate that an assessment is required, generating,via the risk assessment server, a risk assessment from a comparison ofthe data incident data to privacy rules, the privacy rules comprising:(I) at least one federal rule; (II) at least one state rule, each of therules defining requirements associated with data incident notificationlaws; and (III) the contract; (e) providing, via the risk assessmentserver, the risk assessment to a display device that selectively coupleswith the risk assessment server; and (f) generating a risk assessmentguidance interface when the comparison indicates that the data incidentviolates at least one of the at least one federal rule, the at least onestate rule, the contract, or combinations thereof.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, where like reference numerals refer toidentical or functionally similar elements throughout the separateviews, together with the detailed description below, are incorporated inand form part of the specification, and serve to further illustrateembodiments of concepts that include the claimed disclosure, and explainvarious principles and advantages of those embodiments.

The methods and systems disclosed herein have been represented whereappropriate by conventional symbols in the drawings, showing only thosespecific details that are pertinent to understanding the embodiments ofthe present disclosure so as not to obscure the disclosure with detailsthat will be readily apparent to those of ordinary skill in the arthaving the benefit of the description herein.

FIG. 1 illustrates an exemplary system for practicing aspects of thepresent technology;

FIG. 2 illustrates an exemplary conversion application for managing dataincidents;

FIG. 3 illustrates an exemplary graphical user interface (GUI) in theform of a data incident details page;

FIG. 4 illustrates an exemplary GUI in the form of a data incidentdashboard;

FIG. 5 illustrates an exemplary GUI in the form of a state specific riskassessment selection and notification page;

FIG. 6 illustrates an exemplary GUI in the form of a data sensitivitylevel evaluation and selected federal and state specific riskassessments page;

FIG. 7 illustrates an exemplary GUI in the form of a federal riskassessment page;

FIG. 8 illustrates an exemplary GUI in the form of a state specific riskassessment page;

FIG. 9 illustrates an exemplary GUI in the form of a statute summarypage;

FIG. 10 illustrates an exemplary GUI in the form of an aggregatednotification schedules page;

FIGS. 11-13 illustrate exemplary GUIS that are utilized to collect,store, and transmit pertinent documents or data;

FIG. 14 is a flowchart of an exemplary method for managing a dataincident; and

FIG. 15 illustrates an exemplary computing device that may be used toimplement embodiments according to the present technology.

FIG. 16 is a flowchart of a method for managing a data incident, themethod including at least one contractual obligation.

FIG. 17 is a flowchart of a method for managing a data incidentinvolving parties with different roles.

FIG. 18 is a table of various party roles (properties), partytypes/relationships, and internal/external notifications.

FIG. 19 is a flowchart of a method for external entity workflow for adata incident.

FIG. 20 is a graphical user interface in the form of an external entityincident input screen where a party, contract, notification, andadditional details are input into the risk assessment server.

FIG. 21 is a graphical user interface that provides a list of externalentities.

FIG. 22 is a graphical user interface that displays a summary of anincident, as well as detailed information for one or more externalentities impacted by a data incident.

FIG. 23 is a graphical user interface that provides detailed informationregarding a data incident.

FIG. 24 is a graphical user interface that provides yet additionaldetails regarding the data incident in addition to those provided inFIG. 23.

FIGS. 25-35 collectively illustrate various example features that can beimplemented within the risk assessment server. The features are listedin tabular format.

DETAILED DESCRIPTION

In the following description, for purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the disclosure. It will be apparent, however, to oneskilled in the art, that the disclosure may be practiced without thesespecific details. In other instances, structures and devices are shownat block diagram form only in order to avoid obscuring the disclosure.

Generally speaking, the present technology may be directed to managingdata incidents. It will be understood that the terms “data incident” maybe understood to encompass privacy incidents, security incidents,privacy breaches, data breaches, data leaks, information breaches, dataspills, or other similarly related events related to the intentional orunintentional release of protected information to an untrustedenvironment. This protected information may be referred to as personallyidentifiable information (hereinafter “PII/PHI”) or protected healthinformation (e.g., an entity that has been entrusted with the PHI suchas a hospital, clinic, health plan, and so forth).

PII/PHI may encompass a wide variety of information types, butnon-limiting examples of PII comprise an individual's full name, a dateof birth, a birthplace, genetic information, biometric information(face, finger, handwriting, etc.), national identification number (e.g.,social security), vehicle registration information, driver's licensenumbers, credit card numbers, digital identities, and Internet Protocoladdresses.

Other types of information may, in some instances, be categorized asPII/PHI, such as an individual's first or last name (separately), age,residence information (city, state, county, etc.), gender, ethnicity,employment (salary, employer, job description, etc.), and criminalrecords—just to name a few. It is noteworthy to mention that the typesof information that are regarded as PII are subject to change andtherefore may include more or fewer types of information than thoselisted above. Additionally, what constitutes PII/PHI may be specificallydefined by a local, state, federal, or international data privacy laws.

While entities that are subject to these privacy laws may be referred toin a variety of ways, for consistency and clarity an entity (eitherindividual or corporate) that is entrusted with PII/PHI will hereinafterbe referred to as an “entrusted entity.”

It will be understood that the privacy laws contemplated herein maycomprise details regarding not only how an entrusted entity determinesif a data incident violates the law, but also when the provision ofnotification to one or more privacy agencies and/or the customers of theentrusted entity is warranted.

According to some embodiments, the present technology is directed togenerating risk assessments for data incidents. These risk assessmentsprovides specific information to the entrusted entity regarding theseverity of the data incident relative to a state or federal rule.Additionally, the risk assessment provides information regarding thedata sensitivity for the data incident. That is, the risk assessment maydetermine if the type of data that was exposed is highly sensitiveinformation. As mentioned before, some PII/PHI may be considered moresensitive than others. For example, a social security number may be moresensitive than a gender description, although the relative sensitivityfor different categories of PII/PHI are typically delineated in theprivacy rules and may require delineation in the context of each dataincident.

The present technology may determine the severity and/or datasensitivity for a data incident by collecting data incident data from anentrusted entity. This data incident data may be compared against one ormore selected privacy rules to determine the severity and/or datasensitivity for the data incident. In some instances, the presenttechnology may model the data incident data to the one or more privacyrules.

According to some embodiments, the privacy rules described herein maycomprise the content of a state and/or federal statute. In otherembodiments, the privacy rules may comprise abstracted or mathematicallyexpressed rules that have been generated from the text of the stateand/or federal statute. Applying a privacy rule to the data incidentdata may yield values for the severity and/or the data sensitivity ofthe data incident.

In some embodiments, the risk assessment may provide indication to theentrusted entity that an obligation has occurred. More specifically, ifthe severity of the data incident and/or the data sensitivity of thedata incident when compared to the privacy rules indicates that the dataincident has violated at least one of the privacy rules, the riskassessment may include an indication that an obligation has beencreated. An obligation may require the entrusted entity to notifysubjected individuals that their PII/PHI has been potentially exposed.The obligation may also require that notification be provided to aregulating authority such as the department of Health and Human Services(HHS), Office for Civil Rights (OCR), Federal Trade Commission, a stateagency, or any agency that regulates data incident notification.

The present technology allows entrusted entities to model data incidentdata to privacy rules which include at least one state rule and at leastone federal rule. In some instances, entrusted entities may model dataincidents to the rules of several states to generate risk assessments ofeach of the states. This is particularly helpful when entrusted entitiesservice customers in many states. Moreover, each of these states mayhave differing notification requirements, along with different metricsfor determining when a data incident requires notification.

In some embodiments, the risk assessment may include a risk level thatis associated with a color. More specifically, a hue of the color isassociated with the severity of the data incident as determined by thecomparison or modeling if the data incident data.

According to the present disclosure, the present technology may generatea notification schedule for an entrusted entity along with mechanismsthat aid the entrusted entity in gathering pertinent information that isto be provided to the customer and/or one or more regulatory agencies.

These and other advantages of the present technology will be describedin greater detail with reference to the collective FIGS. 1-15.

FIG. 1 illustrates an exemplary system 100 for practicing aspects of thepresent technology. The system 100 may include a risk assessment system,hereinafter “system 105” that may be implemented in a cloud-basedcomputing environment, or as a web server that is particularly purposedto manage data incidents.

In general, a cloud-based computing environment is a resource thattypically combines the computational power of a large grouping ofprocessors and/or that combines the storage capacity of a large groupingof computer memories or storage devices. For example, systems thatprovide a cloud resource may be utilized exclusively by their owners; orsuch systems may be accessible to outside users who deploy applicationswithin the computing infrastructure to obtain the benefit of largecomputational or storage resources.

The cloud may be formed, for example, by a network of web servers, witheach web server (or at least a plurality thereof) providing processorand/or storage resources. These servers may manage workloads provided bymultiple users (e.g., cloud resource customers or other users).Typically, each user places workload demands upon the cloud that vary inreal-time, sometimes dramatically. The nature and extent of thesevariations typically depend on the type of business associated with theuser.

In other embodiments, the system 105 may include a distributed group ofcomputing devices, such as web servers, that do not share computingresources or workload. Additionally, the system 105 may include a singlecomputing device, such as a web server, that has been provisioned withone or more programs that are utilized to manage data incidents.

End users may access and interact with the system 105 via the clientdevice 110 through a web-based interface, as will be discussed ingreater detail infra. Alternatively, end users may access and interactwith the system 105 via a downloadable program that executes on theclient device 110. The system 105 may selectively and communicativelycouple with a client device 110 via a network connection 115. Thenetwork connection 115 may include any one of a number of private andpublic communications mediums, such as the Internet.

Additionally, the system 105 may collect and transmit pertinentinformation to regulatory agencies, such as regulatory agency 120, aswill be discussed in greater detail infra. In some instances,notification may also be provided to affected individuals 125.

The system 105 may be generally described as a mechanism for managingdata incidents. The system 105 may manage a data incident by collectingdata incident data for the data incident and then modeling the dataincident data to privacy rules. As mentioned previously, the privacyrules may include at least one state rule and at least one federal rule.The modeling of the data incident data may be utilized to generate arisk assessment for the data incident. The risk assessment may beutilized by an entrusted entity to determine how best to respond to thedata incident. The system 105 is provided with a risk assessmentapplication 200 that will be described in greater detail with referenceto FIG. 2.

FIG. 2 illustrates a risk assessment application, hereinafter referredto as application 200. In accordance with the present disclosure, theapplication 200 may generally include a user interface module 205, aninput module 210, a risk assessment generator 215, a notification module220, and a reporting module 225. It is noteworthy that the application200 may include additional modules, engines, or components, and stillfall within the scope of the present technology. Moreover, thefunctionalities of two or more modules, engines, generators, or othercomponents may be combined into a single component.

As used herein, the terms “module,” “generator,” and “engine” may alsorefer to any of an application-specific integrated circuit (“ASIC”), anelectronic circuit, a processor (shared, dedicated, or group) thatexecutes one or more software or firmware programs, a combinationallogic circuit, and/or other suitable components that provide thedescribed functionality. In other embodiments, individual modules of theapplication 200 may include separately configured web servers. Also, theapplication 200 may be provisioned with a cloud.

Generally described, the application 200 allows entrusted entities toinput data incident data, have one or more risk assessments generated,and receive the one or more risk assessments, along with notificationsschedules, as required.

An entrusted entity may interact with the application 200 via agraphical user interface that is provisioned as a web-based interface.The web-based interface may be generated by the user interface module205. It will be understood that the user interface module 205 maygenerate a plurality of different graphical user interfaces that allowindividuals associated with the entrusted entity (e.g., privacy officer,compliance officer, security officer, attorney, employee, agent, etc.)to utilize and interact with the application 200. Examples of graphicaluser interfaces that are generated by the user interface module 205 areprovided in FIGS. 3-13, which will be described in greater detail infra.

Upon the occurrence of a data incident, the input module 210 may beexecuted to receive data incident data from the entrusted entity. It isnoteworthy that the user interface module 205 may generate differenttypes of graphical user interfaces that are tailored to obtain specifictypes of data incident data from the entrusted entity.

Initially, it may be desirable for the entrusted entity to establish aprofile that may be utilized to determine if the entity that is usingthe application 200 is, in fact, an entrusted entity. It is noteworthyto mention that the determination of which entities are entrustedentities depends upon the privacy rule. For example, an entity may beconsidered to be an entrusted entity under a particular federal statute,but may not be labeled an entrusted entity under one or more statestatutes. Likewise, different states may have discrepant methods fordetermining what constitutes an entrusted entity.

Therefore, it may be advantageous to determine information about theentity such as what types of information they collect and where theyconduct business. The input module 210 may be executed to solicitpertinent information from the entity that may be utilized to determineif the entity is an entrusted entity. Again, the entity may specify aplurality of states in which they conduct business, or the states ofresidence/domicile for customers with which they conduct business.

If it is determined that the entity is an entrusted entity, the inputmodule may further solicit data incident data for one or more dataincidents. Pertinent data incident data may include the type of datathat was compromised, the date of compromise, the amount of data thatwas compromised, were there security measures in place (e.g.,encryption, redaction, etc.), was the incident intentional orunintentional, was the incident malicious or non-malicious, how the datawas compromised (e.g., theft of laptop, database security failure, loststorage media, hacked application, hacked computing device (e.g., webserver, email server, content repository, etc.), and other types ofinformation that assist in determining a risk level for the dataincident as well as any notification obligations.

In some instances, rather than soliciting generalized data incident datafrom the entrusted entity, the input module 210 may select questionsthat solicit data that is particularly relevant to the privacy rules towhich the entrusted entity is subject. For example, if a privacy rulespecifies that a threshold amount of records must be exposed in order tocreate an obligation, the end user may be asked if their amount ofexposed records meets or exceeds that threshold amount. This type oftailored questioning narrows the analysis that is performed of the dataincident data and improves the efficiency of the risk assessmentprocess.

Once the data privacy data has been received, the input module 210 maygenerate a summary of the data privacy data (or at least a portion ofthe data) that is provided to the entrusted entity via a graphical userinterface generated by the user interface module 205.

The input module 210 may be configured to solicit confirmation from theentrusted entity that the data privacy data in the summary is correct.If the data is incorrect, the entrusted entity may go back and correctthe errant data.

As mentioned briefly above, the input module 210 may solicit and receiveone or more selections of one or more states from the entrusted entity.Using the selections, the input module 210 may select one or more statestatutes based upon the one or more selections. Also, the input module210 may generate at least one state rule for each selected statestatute. Additionally, one or more federal rules may be selected andgenerated as well.

The input module 210 may generate a state or federal privacy rule byevaluating the state/federal statute and creating a plurality ofqualifications from the statutes. Qualifications for a statute mayinclude, for example, thresholds or formulas that are used to determineif the data incident data of a data incident violates the statute.Stated otherwise, these qualifications may be used as a mathematicalmodel of a statute. Data incident data may be evaluated in light of themodel. The resultant modeling may be used to generate a risk assessmentfor the data incident.

The risk assessment generator 215 may be executed to generate one ormore risk assessments for the data incident. The risk assessmentgenerator 215 may model the data incident data to the selected ordetermined privacy rules to determine if an obligation has beentriggered under a privacy rule.

Again, risk assessments may be generated by modeling the data incidentdata to at least one state rule and at least one federal rule. The riskassessment may combine risk levels for each rule into a single riskassessment, or individual risk assessments may be generated for eachrule.

Modeling of the data incident data to a privacy rule (either state orfederal) by the risk assessment generator 215 may result in thegeneration of a severity value and a data sensitivity value for the dataincident. The severity value may represent the extent to which PII/PHIhas been compromised, while the data sensitivity value may represent therelative sensitivity of the PII/PHI that was compromised. These twofactors may independently or dependently serve as the basis fordetermining if a notification obligation exists. For example, if theseverity value meets or exceeds a threshold amount, a notificationobligation may exist. If the data sensitivity value meets or exceeds athreshold amount, a notification obligation may exist. In some instance,a notification obligation may only exist if the sensitivity value andthe data sensitivity value both exceed threshold amounts. Again, thethreshold amounts are specified by the particular privacy rule that isbeing applied to the data incident data.

The risk assessment generator 215 may also determine and applyexceptions that exist in a state or federal statute during thegeneration of a risk assessment. These exceptions may be noted andincluded in the risk assessment.

The risk assessment generator 215 may create a visual indicator such asa risk level or heat map that assists the entrusted entity indetermining whether a data incident is relatively severe or relativelybenign. This visual indicator may be included in the risk assessment.For example, a risk assessment may include a risk level that includes avisual indicator, such as a colored object. In some embodiments, a hueof the object is associated with the severity of the data incident,where red may indicate a severe risk and green may indicate a benignrisk, with orange or yellow hues falling somewhere in between. Examplesof heat maps and risk level indicators are illustrated in FIG. 7.

Included in the risk assessment, in some instances, is a summary ofsections of the state or federal privacy statute. For example, withregard to a state specific assessment, the risk assessment generator 215may generate an outline of key information about the state statute thatwas utilized to generate the state specific risk assessment. Thisoutline may be displayed to the entrusted entity via a user interface.

If the risk assessment generator 215 determines that the data incidentviolates one or more statutes (e.g., high severity value, PII/PHI isvery sensitive, etc.), the notification module 220 may be executed togenerate a notification schedule. The notification schedule may begenerated based upon a data associated with the data incident. That is,the statute may specify when notification is to occur, relative to thedate that PII was exposed.

Additionally, the notification schedule informs the entrusted entity asto what types of information are to be provided, along with theregulatory bodies to which the information should be provided. Again,the notification schedule may be generated from the statute itself. Forexample, a statute may specify that the data incident data (or a portionof the data incident data) collected by the input module 210 should beprovided to a particular state agency within a predetermined period oftime. Again, if a plurality of states have been designated or selected,the notification schedule may include notification dates for each stateagency.

To assist the entrusted entity in meeting their notificationobligations, the reporting module 225 may be executed to gatherpertinent documents or other information from the entrusted entity andtransmit these documents to the required reporting authorities. Thereporting module 225 may prompt the entrusted entity to attach documentsvia a user interface. Once attached, these documents/data may be storedin a secured repository for submission to regulatory agency. In otherinstances, the entrusted entity may transmit required informationdirectly to the regulatory agency.

Additionally, the reporting module 225 may provide requirednotifications to affected individuals, such as the individualsassociated with the PII/PHI that was compromised.

FIGS. 3-13 illustrate various exemplary graphical user interfaces (GUI)that are generated by the user interface module 205. Each of theexemplary user interfaces will be described below.

FIG. 3 illustrates an exemplary GUI in the form of a data incidentsummary page. The summary page 300 includes a plurality of receivedanswers to questions that were provided to the entrusted entity.Responses that were received indicate that the data incident involvedthe loss of a cellular telephone, an incident date of Jan. 2, 2012, anincident discover date of Jan. 16, 2012, and other pertinent dataincident data.

FIG. 4 illustrates an exemplary GUI in the form of a data incidentdashboard page 400. The data incident dashboard page 400 includeslisting of pending and completed risk assessments for a plurality ofdata incidents. Each entry may include a risk indicator having aparticular color to help the entrusted entity in quickly determiningdata incidents that are high risk. A risk indicator may be associatedwith a particular privacy rule. For example, a risk indicator for anEmployee Snooping data incident indicates that a moderately high risk isassociated with the data incident relative to HITECH rules (e.g., rulesassociated with the compromise of PHI). This moderately high risk isindicated by a yellow dot placed within a row of a “HITECH Status”column. Additionally, a severe risk is associated with a state privacyrule. This severe risk is indicated by a red dot placed within a row ofa “State Impact” column.

FIG. 5 illustrates an exemplary GUI in the form of a state specificselection and notification page 500. The notification page is shown ascomprising an image that informs the trusted entity that six states havebeen affected by the data incident. To view a risk assessment for eachstate, the trusted entity may click on any of the stated listed in theleftmost frame.

FIG. 6 illustrates an exemplary GUI in the form of a data sensitivitylevel evaluation page 600. The page includes a plurality of datasensitivity indicators the sensitivity for different types of PII/PHIthat were compromised by the data incident. For example, medical recordnumbers are shown in red as being highly sensitive. Moreover, medicalrecord numbers may pose financial, reputational, and medical harm, whichare just some of the dimensions of potential harm caused by compromiseof PII/PHI. In contrast, the data incident also compromised individual'sdate of birth. As determined by entrusted entity, that type of PII/PHIis not considered highly sensitive and thus, has been depicted in green.

FIG. 7 illustrates an exemplary GUI in the form of a risk assessmentpage 700. The risk assessment page 700 includes a heat map 705 andcorresponding risk level indicator 710, which is placed within the heatmap 705. The heat map 705 includes a grid where vertical placementindicates data sensitivity level and horizontal placement indicatesseverity level. As is shown, as the sensitivity and severity levelsincrease, so do the odds that the data incident may trigger anobligation to notify affected parties. In this instance, the risk levelis high because the sensitivity level is high and the severity level isextreme.

Positioned below the heat map 705 is a notification schedule thatincludes not only the obligations for the entrusted entity, but also theexpected notification dates. Again, this schedule may be based uponrequirements included in the violated statute.

FIG. 8 illustrates an exemplary GUI in the form of a state specific riskassessment page 800. The state specific risk assessment page 800includes a risk assessment for the State of California. The state impactis shown as high and a summary of the types of PII/PHI that were exposedare summarized below the state impact indicator. Similarly to the riskassessment page 700 of FIG. 7, a notification schedule is included onthe state specific risk assessment page 800. It is noteworthy that astate specific risk assessment page may be generated for each affectedstate (such as the affected states listed on the state specificselection and notification page 500 of FIG. 5.

FIG. 9 illustrates an exemplary GUI in the form of a statute summarypage 900. The statute summary page 900 includes a copy (or a portion) ofthe privacy statutes (California Civil Code 1798.29 & 1798.82;California Health and Safety Code 1280.15) that were utilized togenerate the state specific risk assessment that was provided on in FIG.8. Note that the summary also includes whether the state statutesinclude harm test and exceptions which are flagged by the riskassessment generator 215 according to the specific privacy statutes.

FIG. 10 illustrates an exemplary GUI in the form of an aggregatednotification page 1000. The aggregated notification page 1000 includes anotification schedule for each affected privacy statute (e.g., federaland state(s)) relative to one or more data incidents. A list ofnotification events is provided and the end user may utilize the checkboxes to select which states (or federal) risk assessment notificationschedules are displayed.

FIGS. 11-13 illustrate exemplary GUIS that are utilized to collect,store, and transmit pertinent documents or data. FIG. 11 illustrates anattachments page 1100 that shows a plurality of documents that have beenuploaded to the system, such as media notification, attorney generalnotification, privacy policy, and corrective action plan. Positionedadjacent to the list of documents is a checklist that includes all thepertinent documentation that is to be provided to regulatoryauthorities, the media, and/or affected individuals. As the requireddata are uploaded, each required data category is noted with a greencheck mark. Missing elements can be easily determined and uploaded.

It is noteworthy to mention that the on-time reporting of requiredincident data may be paramount in determining compliance and good faithon the part of an entrusted entity. Consequently, failure to meetrequired notification deadlines may result in fines and other regulatorypunishment.

FIG. 12 illustrates an upload page 1200 that may be utilized by anentrusted entity to upload and categorize required complianceinformation (e.g., documents shown in FIG. 11). Files may be tagged withmetadata linking them to the related federal and states risk assessmentsbefore they are stored in a content repository or transmitted to anappropriate party.

FIG. 13 illustrates an exemplary time stamped notation and actions page1300 that displays notes entered into the system by a particular enduser. Actions may include a note that a particular employee is to beretrained and certified. Any type of related action such as a remedialaction, uploading of a file, or other notification and/or compliancerelated action may be noted and associated with a particular riskassessment.

FIG. 14 illustrates a flowchart of an exemplary method for managing adata incident. The method may include a step 1405 of receiving dataincident data. The data incident data may include information thatpertains or corresponds to the data incident. Also, the method mayinclude a step 1410 of automatically generating a risk assessment from acomparison of data incident data to privacy rules. The privacy rules maycomprise at least one federal rule and at least one state rule, whereeach of the rules defining requirements associated with data incidentnotification laws. Additionally, the comparison may include modeling thedata incident data against privacy rules. Also, the method may include astep 1415 of providing the risk assessment to a display device thatselectively couples with a risk assessment server. It is noteworthy tomention that the risk assessment may include a visual representation ofthe risk associated with a data incident relative to the privacy rules.

Additionally, for data incidents that violate a privacy rule (eitherstate or federal) the method may include a step 1420 of generating anotification schedule for the data incident, along with an optional step1425 of transmitting notification information to a regulatory agencyand/or affected individuals (e.g. those who's PII/PHI has beencompromised).

FIG. 15 illustrates an exemplary computing device 1500 that may be usedto implement an embodiment of the present technology. The computingdevice 1500 of FIG. 15 (or portions thereof) may be implemented in thecontext of system 105 (FIG. 1). The computing device 1500 of FIG. 15includes one or more processor(s) 1510 and main memory 1520. Main memory1520 stores, in part, instructions and data for execution by processor1510. Main memory 1520 may store the executable code when in operation.The computing device 1500 of FIG. 15 further includes a mass storagedevice 1530, portable storage device 1540, output devices 1550, inputdevices 1560, a display system 1570, and peripheral device(s) 1580.

The components shown in FIG. 15 are depicted as being connected via asingle bus 1590. The components may be connected through one or moredata transport means. Processor 1510 and main memory 1520 may beconnected via a local microprocessor bus, and the mass storage device1530, peripheral device(s) 1580, portable storage device 1540, anddisplay system 1570 may be connected via one or more input/output (I/O)buses.

Mass storage device 1530, which may be implemented with a magnetic diskdrive or an optical disk drive, is a non-volatile storage device forstoring data and instructions for use by processor 1510. Mass storagedevice 1530 may store the system software for implementing embodimentsof the present invention for purposes of loading that software into mainmemory 1520.

Portable storage device 1540 operates in conjunction with a portablenon-volatile storage medium, such as a floppy disk, compact disk,digital video disc, or USB storage device, to input and output data andcode to and from the computing device 1500 of FIG. 15. The systemsoftware for implementing embodiments of the present invention may bestored on such a portable medium and input to the computer device 1500via the portable storage device 1540.

Input devices 1560 provide a portion of a user interface. Input devices1560 may include an alpha-numeric keypad, such as a keyboard, forinputting alpha-numeric and other information, or a pointing device,such as a mouse, a trackball, stylus, or cursor direction keys.Additionally, the computing device 1500 as shown in FIG. 15 includesoutput devices 1550. Suitable output devices include speakers, printers,network interfaces, and monitors.

Display system 1570 may include a liquid crystal display (LCD) or othersuitable display device. Display system 1570 receives textual andgraphical information, and processes the information for output to thedisplay device.

Peripheral device(s) 1580 may include any type of computer supportdevice to add additional functionality to the computer system.Peripheral device(s) 1580 may include a modem or a router.

The components provided in the computing device 1500 of FIG. 15 arethose typically found in computer systems that may be suitable for usewith embodiments of the present invention and are intended to representa broad category of such computer components that are well known in theart. Thus, the computing device 1500 of FIG. 15 may be a personalcomputer, hand held computing device, telephone, mobile computingdevice, workstation, server, minicomputer, mainframe computer, or anyother computing device. The computer may also include different busconfigurations, networked platforms, multi-processor platforms, etc.Various operating systems may be used including Unix, Linux, Windows,Macintosh OS, Palm OS, Android, iPhone OS and other suitable operatingsystems. The computing device 1500 may also utilize web browserapplications that display the web-based graphical user interfacesdescribed herein. Exemplary web browser applications may include, butare not limited to, Internet Explorer, Firefox, Safari, Chrome, andother web browser applications that would be known to one of ordinaryskill in the art with the present disclosure before them. Moreover, whenthe computing device 1500 is a mobile computing device, the computingdevice 1500 may likewise include mobile web browser applications.

It is noteworthy that any hardware platform suitable for performing theprocessing described herein is suitable for use with the technology.Computer-readable storage media refer to any medium or media thatparticipate in providing instructions to a central processing unit(CPU), a processor, a microcontroller, or the like. Such media may takeforms including, but not limited to, non-volatile and volatile mediasuch as optical or magnetic disks and dynamic memory, respectively.Common forms of computer-readable storage media include a floppy disk, aflexible disk, a hard disk, magnetic tape, any other magnetic storagemedium, a CD-ROM disk, digital video disk (DVD), any other opticalstorage medium, RAM, PROM, EPROM, a FLASHEPROM, any other memory chip orcartridge.

The embodiments described above consider the effect(s) of state and/orfederal laws on a data incident, and specifically what types ofobligations arise in view of these laws. The embodiments also considerthe generating a notification schedule in light of the obligationsimposed upon a breaching party.

The present technology can also be extended to consider not only local,state, federal, international laws, as well as combinations thereof, butalso the impact of contractual obligations on a breaching party.

In some embodiments, the present technology can evaluate and apply threeseparate and types of obligations. The first type of obligations arisefrom the application of state law to a data incident. The application ofthe first type of obligations results in the imposition of a first setof obligations for a breaching party. The second type of obligationsarise from the application of federal law to a data incident. Theapplication of the second type of obligations results in the impositionof a second set of obligations for a breaching party.

The third type of obligations arise from the application of contractualobligations to a data incident. The application of the third type ofobligations results in the imposition of a third set of obligations to abreaching party.

According to some embodiments, each of the first set, second set, andthird set of obligations are different from one another. That is, eachset of obligations will impose a unique obligation or set of obligationson the breaching party, which are different from the other sets ofobligations. For example, a third set of obligations imposed by acontractual obligation comprises a requirement of a rapid emailnotification to all business customers within 24 hours of a dataincident. While state and federal laws will have their own obligations,the state and federal laws will not have this obligation.

While a breaching party is generally defined as a party that hasobligations imposed on it due to a data incident, in the context of acontractual obligation, a breaching party is one of at least two or moreparties to a contractual obligation. This breaching party is the subjectof a data incident. For example, a contract exists between a data ownerand a data custodian, who are both parties to a contractual obligation.The contractual obligation specify certain obligations relating that arein addition to, or in excess of, the state or federal rules that dictateobligations in light of a data incident/breach.

In general, the present technology can be used to create response plansinvolving data incidents where parties to the data incident have hybridroles. For example, the parties could include a covered entity and abusiness associated of the covered entity. The present technologyprovides workflow management that allows an entity to manage its stateand federal regulatory obligations as well as its contractualobligations stemming from a data incident involving data that is ownedby the entity, as well as data that is being processed or maintained bya second entity on behalf of the entity's clients.

Whereas state and federal obligations are imposed on any party that isinvolved in a data incident via statute or law, a contractual obligationrelating to data privacy involves obligations that are imposed bycontract onto one or more of the parties to the contract.

A data owner, a data maintainer, a data steward, and a data custodianare to be understood in terms of their relationship or role relative toa set of data that is the subject of a data incident. A data owner is aparty that has complete legal rights over a set of data. The data owneralso has rights in use, acquisition, distribution, destruction of thisdata—just to name a few. A data custodian controls authorization foraccess data, interpreting data security policies, data versioningcontrol, and so forth. A data steward is responsible for data elements,controlling both data content and metadata, as well as usageconsistency, data conflict resolution, and so forth. The data custodianand data steward work together to preserve data security of the set ofdata. The roles of a data custodian and a data steward will be construedin accordance with data governance rules applied between the parties tothe contractual obligation.

It will be understood that multiple parties involved in a data incidentcan have obligations imposed upon them. Thus, in some instances only oneparty in a data incident is obligated with notification requirements. Inother embodiments, multiple parties can be imposed with obligations dueto a data incident.

In the context of HIPPA, in one embodiment a first party is a coveredentity and a second party is a business associate of the covered entity.If a data incident occurs, regardless of the fault of any given party,both the covered entity and the business associate are subject tonotification obligations. Due to the respective roles, the obligationsfor each party can be different. The state and federal laws can haveobligations that are imposed on each party and these obligations can bedifferent from one another.

Also, the covered entity and the business associate can have an executedcontractual agreement that defines contractual obligations for theparties. For example, a covered entity can employ a business associateto carry out its administrative functions related to the provision ofhealthcare services. To allow for this sharing of duties, HIPPA rulesrequire that a written agreement be in place between the covered entityand the business associate. This agreement clearly defines the duties ofthe parties that are to be performed under the contract as well asobligations imposed on both the parties as required under HIPPA/HITECHlaws.

For context, the definitions of both a covered entity and a businessassociate are defined in 45 CFR 160.103, which is cited herein andincorporated by reference.

While the above example references parties such as a covered entity anda business associate with respect to HIPPA/HITECH obligations, thepresent technology can apply any contractual provision that imposesobligations on a party to the contract in the event of a data incident.

In one embodiment, a covered entity could include a hospital group thatservices patients. A business associate of the hospital group couldinclude a billing and accounting service that has access to patientinformation. The accounting service provides a business function to thehospital and encounters potential or actual PII or PHI. A serviceagreement is established between the hospital group and the accountingservice and this agreement includes several provisions that deal withhow PII and PHI are to be maintained by the accounting service. Theservice agreement also includes notification obligations that specifyhow the accounting service should handle notifications to the coveredentity or patients in response to a data incident.

In another embodiment, a doctor's group which operates out of thehospital would be considered a covered entity with respect to itspatients. The hospital group would be a business associate of thedoctor's group that uses the hospital facilities.

The obligations found in a service agreement can be manually into therisk assessment server by one or more parties. In another embodiment,the service agreement can be uploaded to the risk assessment server andthe risk assessment server can extract relevant obligations from theservice agreement relating to data incident obligations. Additionally,an identification of a role for each party to the agreement can be made.In this, the risk assessment sever can efficiently identify notificationobligations for a party to the service agreement and create anotification schedule that includes the relevant contractualnotification obligations, as well as other state and federalnotification obligations imposed by statute.

Using the examples above, it will be appreciated that an entity can beboth a covered entity and a business associate, but these roles dependon the natural of the relationship with the entity and other entities,defined by a contractual relationship.

The suggestions or recommendations generated by the risk assessmentserver are dictated, in some embodiments, by the role assumed by a partyto a contractual agreement. Because a party can be both a data owner(covered entity) and a data maintainer (business associate), relative tothe same data incident.

For example, generating a notification schedule can include generating afirst notification schedule for a party when the party is acting as adata owner and generating a second notification schedule for the partywhen the party is acting as a data maintainer. To be sure, the creationof the first and second notification schedules occurs in response to thesame data incident.

The extraction of obligations can include the risk assessment serveranalyzing the service agreement for keywords or phrases indicative ofnotification obligations.

FIG. 16 is a flowchart of an example method that is executed inaccordance with the present technology. The risk assessment serverdescribed above can be configured to execute the method illustrated inFIG. 16.

In some embodiments, the method includes identifying 1605 the occurrenceof a data incident. Once a data incident has been identified, the methodincludes receiving 1610 data incident data that comprises informationcorresponding to the data incident. The data incident data can comprise,for example, the identities of the parties involved in the databreach/incident.

As mentioned above, the data incident is defined by the intentional orunintentional release of personally identifiable information to anuntrusted environment.

Next, the method includes automatically generating 1615 a riskassessment from a comparison of the data incident data to privacy rules.In one embodiment, the method includes determining 1620 if at least onefederal rule should be applied. Also, the method includes determining1625 if at least one state rule should be applied.

To be sure, each of the state and federal rules define requirementsassociated with data incident notification laws.

In some embodiments, the method includes determining 1630 if at leastone contractual obligation defining contractual requirements of abreaching party due to the data incident. As mentioned previously, thebreaching party is a party to the at least one contractual obligation,such as a covered entity and a business associate.

The method also comprises providing 1640 the risk assessment to adisplay device that selectively couples with the risk assessment server,as well as generating 1645 a notification schedule when the comparisonindicates that the data incident violates at least one of the at leastone federal rule, the at least one state rule, the at least onecontractual obligation, or combinations thereof.

The method described above can be executed in any order. Steps can beadded, omitted, and/or modified as required so long as the stepsselected for the method are consistent with the teachings providedherein. For example, the method can include a step of determining a rolefor each entity in a contractual agreement. This process can occurbefore the data incident occurs or can be performed after the dataincident occurs, but prior to creation of the notification schedules.

FIG. 17 is a flowchart of a method for managing a data incident.

As with the method of FIG. 16, the risk assessment server is utilized toperform the method. Generally, the method of FIG. 17 involves theidentification of a data incident and the selection of a role for aparty that is based on a contractual agreement between that party andone or more parties. The role, in part, dictates the obligations imposedon that party either by state or federal law, as well as any obligationsfor that party set forth in the agreement. For context, some state andfederal laws impose duties or obligations on a party depending uponwhether they are a data owner or a data maintainer. By way of example,HIPPA laws impose duties on both covered entities and businessassociates. These obligations are different for each role. As mentionedabove, a party can be both a covered entity and a business associatewithin the context of a single data breach.

The method includes a step of creating 1705 an incident record for adata incident. This data record includes information regarding the dataincident.

Next, the method includes selecting 1710 one or more roles for eachparty involved in the data incident. Again, a single party can beassigned two or more roles for a single incident.

Once the incident has been identified and one or more roles assigned toeach party to the data incident, the method includes automaticallygenerating 1715 a risk assessment from a comparison of the data incidentto the privacy rules.

The method also includes generating 1720 a notification schedule foreach party to the data incident that is based on the role or roles forthe party when a comparison of the privacy rules to the data incidentindicates that the data incident violates at least one of the at leastone federal rule, the at least one state rule, the at least onecontractual obligation, or combinations thereof.

In some embodiments, the present technology can leverage an externalentity workflow to manage complex relationships and obligations betweencontracting parties. Thus, in addition to having regulatory obligationimposed by regulatory agencies who apply state and federal privacyrules, parties can also have specific notice obligations that stem fromcontractual obligations between parties.

Specific definitions and descriptions for various parties are providedfor clarity of description. On type of party is a covered entity (CE),which comprises an entity that is covered by federal or state privacylaws, some of which require notification obligations to impactedparties. According to the HHS (health and human services) definition, aCE can be a Healthcare Provider such as a doctor or healthcare clinic, aHealth Plan (e.g., health insurance company, HMO, Medicare/Medicaid), ora Healthcare Clearing House. According to the FTC (federal tradecommission), a CE is a financial institution.

Another type of party is a Business Associate/Service Provider.According to the HHS definition, a business associate (BA) is a personor entity that creates, receives, maintains, or transmits protectedhealth information to perform certain functions or activities on behalfof a covered entity. The equivalent entity in the financial world isreferred to as a Service Provider (SP).

Parties can enter into a Business Associate Agreement (BAA), where theBAA is the contract between a CE and an external entity that coversobligations such as notifications, indemnification, and so forth.

In some instances, these BAAs (as well as other contracts) can includeindemnification clauses. If there is a data breach or HIPAA violation,these events can incur costs such as attorney fees, notification costs,credit monitoring, or fines. An indemnification clause determines whopays the costs. If you are the indemnified party, an indemnificationclause is a promise by the other party to cover your losses if they dosomething that causes you harm. “Indemnify” and “hold harmless” mean thesame thing—to make whole after causing a loss. See article on HIPAA.com.

A subcontractor is a person or entity to which a business associatedelegates a function, activity or service in a capacity other than as amember of the workforce of such business associate.

An upstream/downstream position describes where an entity exists in thechain of HIPAA or FTC compliance. For example, a BA is downstream of aCE, a subcontractor is downstream of a BA, and a CE is upstream from aBA and a subcontractor—just to name a few.

An external entity is an organization with which a first party has arelationship as defined by a contract. The relationship can be as aclient, business associate, service provider, or subcontractor.

In some instances, parties can implement a fully insured or self-fundedhealth plan. Employers that offer health insurance benefits financethose benefits in one of two ways: (1) they purchase health insurancefrom an insurance company (fully insured plans), or they self-fund thehealth benefits directly for employees (self-funded or employeesponsored plans) and contract with insurance companies to serve asthird-party administrators of the insurance plan. Employers withself-funded plans are usually considered to be CE's and must comply withthe HIPAA privacy and security rules. This is because the employer hasaccess to its employees' medical information, either directly or througha third-party administrator (TPA). Usually, the TPA is a healthinsurance company.

In general, the external workflow processes described herein can supportcovered entities as defined by HIPPA and their obligations under HIPPAFinal Rule, and financial institutions as defined by the FTC and theirobligations under GLBA. The external entities workflow extends thefunctionality of the risk assessment server (described in greater detailinfra) to include external entities (BA or SP) that have obligations toclients, individuals, and agencies. The risk assessment server can beconfigured to handle contractual obligations similarly to regulatoryjurisdictions.

The risk assessment server can implement various UIs to request,capture, process, and identify notification obligations for contractingparties. In some embodiments, the risk assessment server can createexternal entities, define contacts and notifications, and definenotification rules.

The risk assessment server can configure specific properties to “unlock”the external entities workflow. For example, the risk assessment servercan set properties that trigger notice obligations. When the propertiesof a data incident match these triggers, a party is informed that theirnotice obligations have been triggered. This informational process canspecify entities requiring notification, the content of the requirednotification, and so forth.

In some embodiments, the risk assessment server can specify one or moreaffected external entities, and at least one regulatory jurisdictioninvolved in the data incident.

An assessment of the incident can occur and can be conducted inaccordance with any of the embodiments described above.

According to some embodiments, the risk assessment server can optionallygenerate and/or display various UIs that allow a party to view theregulatory assessment results and evaluate whether any jurisdictions arenotifiable breaches.

In some embodiments, an example workflow can comprise a covered entitycreating a data incident record within the risk assessment server. TheCE can initiate a workflow on its own behalf in this embodiment. The CEdefines a source, which is itself as well as its role as a CE. The CEcan select employees who were involved in the data incident. In anotherembodiment the CE can create a workflow for an incident on behalf of aBA. In these embodiments, the CE can specify that the source is externalin nature (a BA) and that the reporting party is a CE. The riskassessment server then specifies the name of the BA who caused theincident and may also specify an incident date. The CE can utilize therisk assessment server to determine its notice obligations, if any andbegin the notification and remediation process. The CE can utilize therisk assessment server to monitor the implicated BA's compliance to itscontractual notice obligations.

In another example data incident, a BA causes a breach that has impactedone or more CEs and the BA can be obligated due to contractualobligations with CEs. In this example, the BA can create the incidentreport and define any relevant properties such as role, employees, andso forth.

A BA can also specify a data incident on behalf of a subcontractor.Again, the subcontractor is a downstream entity of a BA. When thesubcontractor reports the incident to the BA, the BA can define incidentproperties such as source, role, employee(s), BA, and informed date(e.g., the date on which the BA was informed by the subcontractor that adata incident had occurred).

In some embodiments, a notifying party can be defined as a hybrid entitythat has both regulatory and external entity obligations. In theseinstances, the party can be obligated due to a state law, a federal law,and/or a contractual obligation.

FIG. 18 illustrates a table that includes a list of entity designations,roles, and permutations of internal and external notificationobligations based on party type and an associated role.

FIG. 19 is a flowchart of an example method of an external workflowprocess. As with the methods above, the risk assessment server isutilized to perform the method. In some embodiments, the methodcomprises the risk assessment server providing 1905 an external entityinterface that receives external entity information. In someembodiments, the external entity information can comprise a contractbetween a first party and at least one additional party. For example,one of the parties can upload a copy of a contract between the firstparty and at least one additional party. This contract specifiescontract clauses that can include notification obligations, such as theindemnification agreement/clauses defined above. The contractualobligations can take various forms as would be appreciated by one ofordinary skill in the art.

In some embodiments, a party can define notification obligations thatspecify when the first party or the at least one additional partynotifies entities that a data incident has occurred, as well asproperties that trigger an assessment of the notification obligations.

The properties can include many permutations of variousquantities/qualities/parties. These properties can include source(either internal or external), party role, breaching party relationship,incident date, and incident details.

In some embodiments, some properties that can affect the assessment, orcan be deleted or deactivated such as a Relationship Contractual NotifyRule, a Regulatory Notify Rule, Timeline, Contacts, Notifications, andActive/Resolved. Changes can be saved in the UI at any time. The changeswill propagate to existing incidents as described (and configured) inthe Message column. The server may not allow locked incidents to beupdated because of a desire to maintain the integrity of the assessmenthistory.

Deleting a contact or notification or deactivating an external entityremoves the relevant configuration from the server. If changes areapplied to incidents that are assessed but unlocked, the assessment datais cleared and users must reassess the incident. A new contact can becreated at any time without risk.

Properties that are displayed in the incident but don't affect theassessment include, but are not limited to Entity Name, Entity Type,Contact Name, Notification Name, Notification Method, and NotificationSummary.

In some embodiments, the method can comprise receiving 1910, via a riskassessment server, in response to an occurrence of the data incident.The data incident data comprises information corresponding to the dataincident, the data incident further comprising intentional orunintentional release of personally identifiable information to anuntrusted environment by the first party or the at least one additionalparty.

Next, the method includes comparing 1915 the data incident data to theproperties that trigger an assessment. To be sure, if the propertiesindicate that an assessment is required the method further comprisesgenerating 1920, via the risk assessment server, a risk assessment froma comparison of the data incident data to privacy rules.

In some embodiments, the privacy rules comprise one or more of thefollowing: (a) at least one federal rule; (b) at least one state rule,each of the rules defining requirements associated with data incidentnotification laws; and (c) the contract.

According to some embodiments, the method includes the providing 1925,via the risk assessment server, the risk assessment to a display devicethat selectively couples with the risk assessment server.

Additionally, the method includes generating 1930 a risk assessmentguidance interface when the comparison indicates that the data incidentviolates at least one of the at least one federal rule, the at least onestate rule, the contract, or combinations thereof.

FIG. 20 is an example risk assessment guidance interface 2000. The riskassessment guidance interface 2000 comprises a basic information section2002 that defines various entity or party data. The risk assessmentguidance interface 2000 also comprises a contract upload mechanismsection 2004 that allows one or more parties to upload a contract thatdefines the notification obligations between the parties.

In some embodiments, the interface 2000 can also comprise anotifications section 2006 that allows a party to specify notificationobligations.

In some instances, default notification obligations can be implementedif no specific notification obligations are defined.

To be sure, the properties that trigger the notification obligations canbe determined from the party information collected in the basicinformation section 2002, as well as the contractual informationuploaded in the contract upload mechanism section 2004.

FIG. 21 illustrates another example risk assessment guidance interface2100 that allows a party to manage its external entity relationships.For example a business associate ABC Corp is listed. Each of theentities defined using the assessment interface 2000 of FIG. 20 will belisted in the risk assessment guidance interface 2100.

FIG. 22 is a screenshot of a detailed incident assessment user interface2200. Specifically, the detailed incident assessment user interface 2200includes a contract based assessment of obligations. A summary section2202 is provided which indicates violation type, which in this instanceincludes HIPAA HITECH (federal rule). The summary section can alsoidentify impacted external entities and status of analysis for each ofthe external entities.

A breach assessment section 2204 provides the specific details of anidentified data incident, for two specific entities/parties. The firstentity is a diagnostic imaging company and the second entity is afortune 500 manufacturing company. To be sure, these entities are theparties to which a BA or other downstream external entities areobligated to notify that a privacy incident has occurred. Each of theseentities will have a detailed summary about whether they have been orwill be notified and status indicator for the current notificationanalysis.

FIG. 23 includes a detailed incident interface 2300 that provides arobust set of details for an identified incident. An incident detailsection 2302 includes attributes of the incident gathered from theincident details provided by a reporting party. A risk factor section2304 is also included that provides more specific details regarding theseverity of the data incident.

FIG. 24 is another summary interface 2400 that includes various sectionsthat provide additional details regarding a data incident. The interfacecomprises a regulated data section 2402, a data sensitivity section2406, a jurisdictions section 2408, and an external entities section2410. These various sections can include visual indicators that inform auser as to the types of data involved in the data incident, as well as asensitivity level of the data involved in the incident, as well as anyjurisdictions involved (e.g., if state or federal rules are implicated),and a list of any external entities that are involved in or impacted bythe data incident.

FIGS. 25-26 illustrate a table of external entity administration consolefeatures. FIGS. 27-33 illustrate a table of external entity workflowfeatures for the risk assessment server. Some of the illustratedfeatures require customer licensing. FIGS. 34-35 collectively illustratea table of additional functionalities that can be implemented by therisk assessment server. These features illustrated in FIGS. 25-35 arenot intended to be limiting in any way but are example features andlogic that can be implemented by the risk assessment server.

While various embodiments have been described above, it should beunderstood that they have been presented by way of example only, and notlimitation. The descriptions are not intended to limit the scope of thetechnology to the particular forms set forth herein. Thus, the breadthand scope of a preferred embodiment should not be limited by any of theabove-described exemplary embodiments. It should be understood that theabove description is illustrative and not restrictive. To the contrary,the present descriptions are intended to cover such alternatives,modifications, and equivalents as may be included within the spirit andscope of the technology as defined by the appended claims and otherwiseappreciated by one of ordinary skill in the art. The scope of thetechnology should, therefore, be determined not with reference to theabove description, but instead should be determined with reference tothe appended claims along with their full scope of equivalents.

What is claimed is:
 1. A method for managing a data incident,comprising: providing an external entity interface that receives:external entity information comprising: a contract between a first partyand at least one additional party; notification obligations that specifywhen the first party or the at least one additional party notifiesentities that a data incident has occurred; and properties that triggeran assessment of the notification obligations; receiving, via a riskassessment server, in response to an occurrence of the data incident,data incident data that comprises information corresponding to the dataincident, the data incident further comprising intentional orunintentional release of personally identifiable information to anuntrusted environment by the first party or the at least one additionalparty; comparing the data incident data to the properties that triggeran assessment; wherein if the properties indicate that an assessment isrequired, generating, via the risk assessment server, a risk assessmentfrom a comparison of the data incident data to privacy rules, theprivacy rules comprising: at least one federal rule; at least one staterule, each of the rules defining requirements associated with dataincident notification laws; and the contract; providing, via the riskassessment server, the risk assessment to a display device thatselectively couples with the risk assessment server; generating a riskassessment guidance interface when the comparison indicates that thedata incident violates at least one of the at least one federal rule,the at least one state rule, the contract, or combinations thereof; andwherein the risk assessment guidance interface comprises an impactsummary that indicates which state or federal rule was violated and oneor more external entities implicated or impacted in the data incident.2. The method according to claim 1, wherein receiving data incident datacomprises: providing one or more questions to the display device thatelicit information corresponding to the data incident; receivingresponses to the one or more questions; providing the responses to thedisplay device; and receiving confirmation of at least a portion of theresponses.
 3. The method according to claim 1, further comprising:receiving one or more selections of one or more states; selecting one ormore state statutes based upon the one or more selections; andgenerating at least one state rule based upon a selected state statute.4. The method according to claim 1, wherein the at least one federalrule comprises a federal statute that governs privacy breaches relativeto at least one of protected health information (PHI), personallyidentifiable information (PII), or combinations thereof.
 5. The methodaccording to claim 1, wherein the at least one state rule comprises astate statute that governs privacy breaches relative to at least one ofprotected health information (PHI), personally identifiable information(PII), or combinations thereof.
 6. The method according to claim 1,wherein the risk assessment comprises a risk level that indicates aseverity of the data incident relative to at least one of the at leastone federal rule, the at least one state rule, or combinations thereof.7. The method according to claim 6, wherein the risk level is associatedwith a color, wherein a hue of the color is associated with the severityof the data incident as determined by the comparison.
 8. The methodaccording to claim 1, wherein the risk assessment defines one or moreexceptions that apply to at least a portion of the data incident databased upon the comparison.
 9. The method according to claim 1, whereinthe risk assessment comprises at least a portion of the at least onestate rule.
 10. The method according to claim 1, further comprisingproviding an alert to the display device when the comparison indicatesthat the data incident violates at least one of the at least one federalrule, the at least one state rule, or combinations thereof.
 11. Themethod according to claim 1, wherein the notification obligationscomprise notification dates that are based upon a violated statute,along with notification requirements that describe information that isto be provided to a regulatory agency.
 12. The method according to claim11, further comprising receiving the information that is to be providedto a regulatory agency and storing the same in a content repositoryassociated with the risk assessment server.
 13. The method according toclaim 1, wherein the comparison includes modeling of the data incidentdata to the privacy rules to determine a severity and a data sensitivityof the data incident.
 14. The method according to claim 1, wherein thecomparison comprises: modeling the data incident data to determineseverity and data sensitivity of the data incident by evaluating thedata incident data relative to the at least one state rule; andgenerating a state specific risk assessment from the modeling.
 15. Themethod according to claim 1, wherein the data incident data specifies arole for the first party or the at least one additional party as abusiness associate, a client, or service provider, a data incidentnotification date, and combinations thereof.
 16. The method according toclaim 1, wherein the data incident data specifies an identification of asubcontractor rather than one or more employees.
 17. The methodaccording to claim 1, wherein the first party or the at least oneadditional party is both a covered entity and a business associate ofanother covered entity.
 18. The method according to claim 1, wherein theexternal entity interface comprises a contract upload interface and anotification designation interface.
 19. The method according to claim 1,wherein the risk assessment guidance interface comprises an externalentity assessment profile that comprises a chronological list of dataincident events and a disposition for each of the data incident events.20. The method according to claim 1, further comprising generating adata incident detail interface that comprises risk factors from the dataincident data, a regulated data table, a data sensitivity index,jurisdiction identification, and an identity of any external entities,or any combinations thereof.
 21. The method according to claim 20,wherein the regulated data table comprises cells that each comprise avisual indicator of low, medium, or high risk for each type of sensitiveinformation included in the data incident.
 22. The method according toclaim 21, wherein the jurisdiction identification comprises anidentification of the at least one federal rule or the at least onestate rule.
 23. The method according to claim 1, further comprisinggenerating a data incident detail interface that comprises selecteddetails for the data incident in visual format.